Submit a vulnerability
Purpose
As part of Mox Bank’s commitment in keeping our bank and our customers’ data safe and secure, we actively encourage security researchers to report suspected security vulnerabilities related to our services to us to further strengthen and ensure the integrity of our systems and processes.
Below we have outlined the policy on how to submit a suspected vulnerability (Vulnerability Report) to us in a responsible manner, how we will respond, and what we expect from you when you are using our services.
How to submit a Vulnerability Report
If you discover a suspected security vulnerability in our services, please follow the process below to notify us.
Please ensure to read this entire policy, as submitting a Vulnerability Report to us confirms your agreement to all the terms set out in this policy.
Your responsibilities
When you submit a suspected security vulnerability (Vulnerability Report) related to our services, you acknowledge that you must not:
-
Cause any harm or intend to harm us, our customers, employees, partners, or suppliers, or engage in testing or researching of systems with the intention of causing such harm.
-
Access or tamper with the accounts or information of others. Respect privacy and only focus on your own accounts or data.
-
Violate any laws or regulations, ensure all your activities adhere to applicable legal and regulatory standards.
-
Engage in or perform social engineering, spamming, phishing, automated scanning, denial of service or other resource exhaustion attacks, or any other action that could degrade, damage, or interrupt our services.
-
Exploit, misuse, or manipulate any identified vulnerabilities in any way. This includes:
- Exfiltrating or attempting to exfiltrate any data.
- Misusing, copying, deleting, modifying, or otherwise manipulating any data or systems.
- Accessing or changing, or attempting to access or change, the services or data of others.
- Compromising the personal data of others.
- Sharing or facilitating system access for others.
-
Test or attempt to test the physical security of any of our properties.
-
Scan the infrastructure of any of our host providers, third parties, or suppliers.
-
Disclose information related to any actual or suspected vulnerability or any Vulnerability Report, including any details of any actual or suspected vulnerability or a Vulnerability Report and the fact that vulnerabilities have been reported, to any third parties.
The fact that you have submitted a Vulnerability Report to us, you understand and agree that:
- We may use your Vulnerability Report for any purpose deemed relevant by us, including the correction of any identified vulnerabilities that we determine at our sole discretion to exist and require correction.
- Providing a Vulnerability Report to us and undertaking any actions associated with such Vulnerability Report does not grant you the right to any intellectual property owned by us or any third party.
- The Vulnerability Report and any improvements, remediation, or similar proposed by you in relation to our services (improvements) are owned by us, and you assign all intellectual property rights in the Vulnerability Report and any improvements to us immediately on creation.
- Any Vulnerability Report is provided by you without expectation or requirement of any reward or benefit.
- We will not be liable for any expense, damage, or loss of any kind which you may incur in relation to any Vulnerability Report.
- We will not provide any protection or immunity from civil or criminal liability (if any) under applicable laws and regulations.
- We do not assume any responsibility for the contents of any Vulnerability Report submitted by you.
- Our acknowledgement of any Vulnerability Report does not represent our endorsement of its contents.
- We are not obliged to consult with you about any public statement we may elect in our sole discretion to release in relation to a Vulnerability Report submitted by you.
- Nothing in this policy creates an agency, partnership, association, joint venture or similar relationship between you and us.
Privacy
We only keep limited personal details about you, such as your name (where you give it to us), your email ID and the contents of your disclosure. We keep these details in accordance with our Privacy notice, available on our website.
Next steps
Upon receipt of your Vulnerability Report, we may use the information provided to address the identified vulnerabilities. Where necessary, we may also require contacting you to clarify any details of your Vulnerability Report. However, we do not guarantee that you will receive a response from us.
Last updated: 26 September 2024